search

crypto-power / cryptopower

A cross-platform SPV (DCR, BTC & LTC) privacy wallet built with go.
ISC License
36 stars 23 forks source link

Release v1.1.4 broken manifest #524

Open xaur opened 2 months ago

xaur commented 2 months ago

There are three issues with https://github.com/crypto-power/cryptopower/releases/tag/v1.1.4

Issue 1:

sha256sum -c cryptopower-v1.1.4-manifest.txt
cryptopower-v1.1.4.apk: OK
sha256sum: cryptopower-darwin-amd64-v1.1.4.app.zip: No such file or directory
cryptopower-darwin-amd64-v1.1.4.app.zip: FAILED open or read
sha256sum: cryptopower-darwin-arm64-v1.1.4.app.zip: No such file or directory
cryptopower-darwin-arm64-v1.1.4.app.zip: FAILED open or read
cryptopower-linux-amd64-v1.1.4: OK
cryptopower-linux-arm64-v1.1.4: OK
cryptopower-windows-386-v1.1.4.exe: OK
cryptopower-windows-amd64-v1.1.4.exe: OK
sha256sum: WARNING: 2 listed files could not be read

Just renaming the cryptopower-darwin-* files to include the .app suffix will fix this. The hashes match otherwise.

Issue 2:

gpg signature check fails because it was created with EDDSA key 45BBDA8A927C44360B18ECC0FF54551AB3BF7E89. The expected key fingerprint is 5C26BFEC6C2466A528D5551CD05AC74F68976E52, taken from https://github.com/crypto-power/cryptopower/releases/tag/v1.0.0

Issue 3:

The cryptopower-v1.1.4-manifest.txt.asc file says Hash: SHA512 in it but the hash algo used is SHA256. This is a minor bug that doesn't prevent verification for me, but it may break verification for software/scripts that actually read this value.

dreacot commented 2 months ago

issues 1 and 2 are resolved as at the time to writing this, please check again

however, the cryptopower-v1.1.4-manifest.txt.asc file is auto generated by gpg, not sure it's a good idea to manually edit it